Two people entered the Natural Wonders Dispensary on March 8, emptied the cash register and took money and jars of cannabis from the store’s safe. According to a detective’s affidavit, the thieves made off with about $8,000 in cash from the Southeast Portland dispensary.
Soon after the robbery, a block away, a silver Volkswagen blew through a stop sign and crashed into another vehicle. A detective who happened to witness the accident saw three people jump out of the Volkswagen and run. Responding officers set up a perimeter and called in a K9 team, but never found the people who fled.
The detective who witnessed the accident found the stolen jars of marijuana on the floor of the car along with two handguns.
Just outside the car, still plugged into a USB charger, police also found a black iPhone. A detective put the phone in airplane mode, connected it to a power source, and put it into evidence.
No one has been arrested for the robbery yet, but the phone and the technology police used to search it are part of a rapidly changing legal environment – an area where the Portland Police Bureau is precariously on the edge of what’s permissible in modern policing.
To access and search information stored on a locked phone, Portland police officers — along with dozens of law enforcement agencies across the state — have turned to mobile device forensic tools, or MDFTs. The two most prominent are Cellebrite and Graykey. The tools are controversial, closely guarded hardware and software available to government agencies that allow a user to create an unencrypted, mirror image of a phone’s entire contents.
Once extracted, MDFTs present a phone’s millions of lines of code in an easily searchable interface.
Tech companies have tried for years to shore up vulnerabilities these tools exploit in their software, and decried the danger they pose to consumer privacy.
Over the past decade, MDFT use has quickly proliferated across the country. Records obtained by OPB show the Portland Police Bureau adopted the technology as early as October 2014 and has invested at least $270,629.96, outspending significantly larger departments.
By contrast, since 2015, the similarly-sized Seattle police department has spent at least $240,837 on MDFTs. The Houston police department, with five times more officers than PPB, has spent at least $210,255, and the Los Angeles police department spent around $358,426 despite being almost 10 times the size of the Portland police.
Warrants reviewed by OPB going back to 2018 show PPB searching phones to investigate a wide array of crimes ranging from attempted murder, bank fraud and robbery to lower level crimes like bike theft. And for years, the bureau was conducting digital searches with no policies in place regulating the practice.
Until January 2020, the Portland Police Bureau did not have mobile forensics policy guiding how it conducted the searches. Absent policies, officers were still constrained by nascent and rapidly changing case law. But for more than five years, the police bureau was searching the most intimate recesses of people’s lives with no official guidelines regulating how and when those searches would be done.
The same month the 2020 policies took effect, Logan Koepke and his team of researchers at Washington D.C.-based nonprofit Upturn were nearing publication on a report about how law enforcement across the country uses MDFTs.
The Portland Police Bureau responded to Koepke’s records request for usage logs by saying they weren’t keeping track of how often officers were searching phones. According to records obtained by OPB, police bureau memos requesting to purchase these tools indicate investigators are searching phones almost every day.
“The value of Graykey can not be overstated,” a May 2018 memo reads. “The Portland Police Bureau’s Digital Forensic Lab fields calls on a nearly daily basis from investigators requesting assistance with passcode-locked iPhones.”
The bureau’s recently adopted standard operating procedures now require a quarterly report that includes the number of devices examined and total volume of data processed. Those records had not been provided to OPB by the time this story was published.
In the Natural Wonders dispensary robbery case, an officer filed an affidavit requesting a search warrant to “seize, search, and analyze the entirety of the data extracted” from the phone found at the scene.
In theory, and by law, the warrant is limited in scope.
“You have to write the warrant specifically for what you expect to find and what your probable cause is that it will be on the phone,” said Cmd. Jeff Bell, the Portland Police Bureau’s detective division head who also oversees the forensic evidence division. “We’re extracting really specific information and looking for what the investigator had detailed very specifically in their affidavit.”
The dispensary robbery warrant sought “any and all communications” with other unknown co-conspirators, any and all media, system data, documents or other information connecting the phone’s owner to the robbery, any and all location data connecting the phone’s owner to the robbery and any information showing where the phone was located for the 30 days leading up to the robbery.
In practice, critics said, that is an expansive search.
A warrant authorizing a search for “any and all” evidence connecting someone to a specific place or specific person, in fact, allows a broad search of the most minute, private details of a suspect’s life. Evidence could be tucked away in any of thousands of different apps and folders including voice memos, documents, photos, notes, text messages and more ephemeral media on apps like Snapchat or Signal. Phones also contain data logs most people don’t even know exist.
And it’s up to the individual examiner to figure out how and where to look.
“That is kind of the arbitrary decision-making process that the Fourth Amendment, and state versions of the Fourth Amendment, are designed to curb,” Koepke said, referring to the constitutional amendment protecting against unreasonable search and seizure.
He said his team’s research found wording similar to the Portland police’s in search warrants across the country.
“We don’t want discretionary, arbitrary uses of police power. But what these tools do, and those kinds of warrants allow for, is that very thing,” Koepke said. “It’s just this kind of general rummaging through things to say, ‘I think that’s probably within purview of something related to this, so here we go.’”
The Natural Wonders warrant, and numerous others reviewed by OPB, describe how a phone’s contents “seemingly document an individual’s lifestyle, associates, and/or whereabouts at a particular time.” Far from targeting a specific piece of information, the warrants acknowledge the examiners aren’t entirely sure what they’re looking for, and instead list all of the things detectives know are often stored on phones.
In recent years, defense attorneys are challenging those broad warrants more often and are having more success. State and federal judges are increasingly seeing phone searches as overly broad, and throwing warrants out which they say violate the Constitution.
It wasn’t long ago that officers would search a person’s cellphone as routinely as they would search their pockets.
“I can remember when cellphones were fairly new, we used to look through their cellphones and didn’t think much of it,” Bell said about arrestees. “We thought of it like an inventory search.”
That changed in 2014, when the Supreme Court unanimously ruled in Riley v. California, finding that a warrant is required to search a cellphone found during an arrest.
The court found that phones differ from other objects, and that comparing a cellphone to someone’s wallet or other “container” is a problematic analogy.
“A decade ago officers might have occasionally stumbled across a highly personal item such as a diary,” Chief Justice John Roberts wrote. “But today many of the more than 90% of American adults who own cell phones keep on their person a digital record of nearly every aspect of their lives.”
Seven years after the first iPhone hit the market, the court started pulling the Fourth Amendment into the 21st Century.
Magistrate judges across the country started rejecting warrants for being too broad. Some legal observers called it the “magistrate’s revolt.”
“The police showed up with search warrants and the magistrate looked at it and said, ‘No, this is not tailored enough. Think about how much data is on this phone. Go back and do it again,’” said Michael Price, senior litigation counsel for the Fourth Amendment Center at the National Association for Criminal Defense Lawyers. “It kicked off the idea that this is something that defense lawyers should be challenging.”
Four years after the Riley decision, the Oregon State Supreme Court ruled in a different case and significantly altered the legal landscape.
Kaliq Mansor called 911 in June 2011 and reported that his 11-week-old son was coughing up and expelling fluid from his nose. Prior to calling for help, Mansor said he shook the baby, tried to clear his airway, and searched the internet for what to do.
The baby died soon after and was diagnosed with shaken baby syndrome. Investigators later found evidence of an old rib and skull fracture.
Mansor was convicted of murder in 2012.
His internet search history, which included searches for “father hates infant” and “can therapy help an abuser,” was key to his conviction.
On appeal, his defense attorney argued the search warrant for Mansor’s computer was far too broad and should only have included the 15 minutes prior to him calling 911.
The state Supreme Court agreed and overturned his conviction. The court said search warrants for digital devices, whether they are computers, phones or other devices, must be as specific as possible.
The ruling went further and narrowed what is known as the plainview exception. Under the plainview exception, if the police have a search warrant to look for a stolen item in your home, for example, and find evidence of another crime, they can arrest you for that even though it is outside the original warrant.
After Monsor, an investigator flipping through a cellphone for specific evidence as described in a search warrant essentially has to ignore everything else.
“So the balance that the court struck in Mansor is allowing this two-step process to occur where there’s a forensic analyst, typically, who will get a mirror image of the device,” said Jesse Merrithew, a Portland based civil rights attorney. “What the analyst is supposed to do then is ... generate a report for the actual investigators that only contains data from the image which is actually responsive to the search warrant.”
The impacts of the Monsor ruling are still coming into focus.
This past March, the courts handed down a ruling which added some clarity. In State v. Bock, the Oregon Court of Appeals overturned an attempted murder conviction, saying a warrant to search a phone for “all evidence of a particular crime is not sufficiently specific to pass Constitutional muster.”
The court said absent clear limitations on what an officer is looking for, a digital device search warrant often amounts to rummaging through someone’s phone looking for something useful.
Given these most recent court decisions, Merrithew said the Natural Wonders search warrant is unlikely to hold up.
“The court of appeals in Bock was simply saying what the law IS, not changing the law,” Merrithew wrote in an email. “Therefore, the law existed in the exact same way at the time they got the warrant, and they are bound by it.”
That could have far reaching implications for an untold number of open cases and, potentially, old convictions. If warrants issued since 2018 are found to be too broad, a judge could throw out all the resulting evidence.
All of the privacy protections secured through the courts go out the window if someone consents to an officer searching their phone.
“Your consent, as long as it’s knowing and voluntary, is good and they can look wherever they want to look, find whatever they’re going to find, and use it any way they want to,” Merrithew said.
On Nov. 6, 2017, Jonathan Ezra went to the Washington County Sheriff’s Office to speak with Deputy Lucas Spencer and Portland Police Det. Cheryl Waddell, a white collar crime detective.
In a 28-page affidavit outlining a complex fraudulent check-cashing operation, Waddell said bad checks deposited into Ezra’s bank account matched others that had been deposited as part of the fraud ring. According to the affidavit, Ezra denied being a witting participant in the fraud.
According to the affidavit, Waddell read Ezra his Miranda rights before speaking to him during the November interview. Ezra told OPB he was there because he was one of the victims and he wanted to file a complaint.
“They told me I wasn’t under arrest but I felt like I couldn’t leave,” Ezra said. “I was making a claim. It felt so official that I had to sit through this whole thing.”
Ezra, who was 19 at the time, consented to let Waddell search his phone. He said he had started to feel like he might be a suspect and to prove he was innocent, he felt he had to give them his phone.
“Being around a cop ... I always feel kind of scared so I kind of just want to obey them in any way not to cause any disruption or any argument,” Ezra said. “I think in that moment I was very paranoid, anxious to get the whole process over.”
He said he thought they were only searching his phone for the phone numbers of people involved in the fraud and any communications he had with them. According to the affidavit, Waddell performed a Cellebrite extraction and returned the phone to Ezra the next day.
Ezra was never charged with a crime but said he didn’t limit his consent, meaning officers were free to search his phone in its entirety, unconstrained by all the privacy protections that accompany a warrant. Had they found evidence of other crimes, they could have used it against him. If another agency suspected Ezra in a crime, they could also search the extracted data for evidence.
Portland police policies put in place in January 2020 require cellphone search data to be treated like other evidence and kept for the amount of time dictated by the crime in question. But there are exceptions which would allow the bureau to keep that data longer, like when someone gives consent.
Ezra said he had no idea that’s what they were planning to do, and he would not have let them take his phone if he had.
In Upturn’s report, the nonprofit research group found that for many agencies in the U.S., roughly half of all cellphone searches conducted in 2019 were based on consent. The report calls for banning those types of searches because “the power and information asymmetries of cellphone consent searches are egregious and unfixable.”
Multiple defense lawyers told OPB their clients simply do not understand how all-encompassing a cellphone search is. The police understand that, too.
“It is similar to, ‘Hey, can I search your car?’ And they say yes,” said Bell, the Portland police detectives branch commander. “And all of a sudden, you bring out an x-ray machine and some other stuff that they had no idea you had the ability to do.”
Like Ezra, who said he is scared of police and just wanted to do what they said, Merrithew said the very idea of consent is a myth.
“People, when faced with authority figures in particular, are very likely to agree to whatever they’re asked to do,” he said. “I don’t think people understand how extracting works ... but on the other hand, I’m not entirely convinced that they wouldn’t consent even if they did just because people consent to all sorts of police invasions of their privacy without a second thought in order to acquiesce to their authority.”
Correction: A previous version of this story incorrectly identified the court involved in overturning the State v. Bock decision.